When we hear about Syrian hackers working on behalf of the regime of embattled President Bashar al-Assad, we think of the Syrian Electronic Army, the group of digital troublemakers that has hammered the Twitter feeds and websites of several Western media organizations, and has attacked Twitter itself.

But there are lesser-known groups using malware and attacking activists and people sympathetic to Syrian rebels, and according to a report released earlier this week, their activities are on the rise.

I’m a bit late to this, owing to the holiday, but the findings come from security researchers at the University of Toronto’s Citizen Lab and the Electronic Freedom Foundation. Hackers who support the Syrian regime have been documented trying to use malware attacks against journalists, workers at non-governmental organizations and others, using social-engineering techniques and remote-access tools. One in particular is a rare Trojan that attacks Apple’s Mac OS X.

In one case, the attackers were able to seize control of a Facebook page belonging to a pro-opposition group, and to use that power to delete comments warning others not to follow a link that led to a malware download.

In another case, links to Dropbox files accompanying YouTube videos contained malware linked to servers that are known to have been controlled by pro-Assad hackers in the past.

The Mac Trojan, which caught some media attention when it was first detected, turned out to be a so-called “false flag” operation. It first appeared to have been created by the Syrian Electronic Army, though it’s unclear why. That group later disavowed responsibility.

The report goes into a lot of technical detail about how the different attacks work. It’s essentially a warning to Syrians or anyone who may be involved with the conflict to be careful and to pay attention to the latest attack techniques. “The malware campaigns appear to be becoming more and more sophisticated, incorporating greater levels of social engineering,” it says. “Additionally, the presence of possible false flag operations muddies the waters, making it more difficult to identify actors.”

]]>http://allthingsd.com/20131227/malware-attacks-by-syrian-pro-government-hackers-are-on-the-rise/feed/0Samsung Phone Studied for Possible Security Gaphttp://allthingsd.com/20131224/samsung-phone-studied-for-possible-security-gap/
http://allthingsd.com/20131224/samsung-phone-studied-for-possible-security-gap/#commentsTue, 24 Dec 2013 13:30:01 +0000http://allthingsd.com/?p=380918The security platform for Samsung Electronics Co.’s best-selling Galaxy S4 smartphone suffers from a vulnerability that could allow malicious software to track emails and record data communications, according to cybersecurity researchers at Israel’s Ben-Gurion University of the Negev.

The alleged security gap, which the researchers say they discovered earlier this month, comes as Samsung pitches the new security platform called Knox to potential clients at the U.S. Department of Defense and other government and corporate entities, in a bid to compete with BlackBerry Ltd., whose devices have been considered the gold standard among security-conscious clients for years.

]]>http://allthingsd.com/20131224/samsung-phone-studied-for-possible-security-gap/feed/0Lookout Warns App That Pays for Unused Text Messages Is a Big-Time Security Threathttp://allthingsd.com/20131219/lookout-warns-app-that-pays-for-unused-text-messages-is-a-big-time-security-threat/
http://allthingsd.com/20131219/lookout-warns-app-that-pays-for-unused-text-messages-is-a-big-time-security-threat/#commentsThu, 19 Dec 2013 22:46:53 +0000http://allthingsd.com/?p=380143Mobile security vendor Lookout is warning customers that an app that pays users to send text messages on their behalf is dangerous and should be avoided.

The app, called Bazuc, proposes that users allow them to send text messages from their plan. In exchange, it offers to pay users a tenth of a penny for each message sent.

But, contrary to the claims made on the site, Lookout said its testing showed Bazuc is sending mostly bulk messages rather than text messages from international users abroad.

“It’s very clearly only being used for bulk mailing,” Lookout principal security researcher Marc Rogers told AllThingsD. “In our entire testing we only saw three messages that came from a human.”

Rogers said the company also tried to send messages using a companion free international texting app but said it did not appear those messages were being sent.

A Bazuc representative did not immediately return a request for comment.

Rogers said the risk to those who use the app is enormous, ranging from getting angry phone calls from unhappy recipients, to seeing their phone lines canceled to perhaps facing legal liability if illegal messages are sent from their account.

“It’s the user that is going to be left holding the bag,” Rogers said. In addition, he noted, the website posts testimonials suggesting users can earn tens of dollars per month, when he said the figure is likely to be only a few dollars — and even at that level a carrier is likely to notice the excess usage and take action.

Rogers also said it is his belief that those sending the messages are being misled as to how their messages are being delivered. During testing, Rogers said, the company found large businesses — even some banks — using Bazuc to send texts to customers.

For its part, Lookout said it plans to warn those of its customers that have Bazuc installed as well as notify carriers and those who are using the other end of the service.

Lookout said it believes between 10,000 and 50,000 people downloaded it from the Google Play store alone.

The app, which had been in app stores including Google Play, has since been pulled, though Bazuc still has the Apple App Store and Google Play logos on its site. In fine print, the site notes the Apple version not yet available even though it uses the “available on the App Store” logo.

Bazuc still offers the app via its website (and as of Thursday afternoon, the company was actively trying to force it down to the computers of at least some of those visiting the site).

]]>http://allthingsd.com/20131219/lookout-warns-app-that-pays-for-unused-text-messages-is-a-big-time-security-threat/feed/0Chinese Hackers Used Fake Syrian News and Carla Bruni Pics to Attack Foreign Embassieshttp://allthingsd.com/20131210/chinese-hackers-used-fake-syrian-news-and-carla-bruni-pics-to-attack-foreign-embassies/
http://allthingsd.com/20131210/chinese-hackers-used-fake-syrian-news-and-carla-bruni-pics-to-attack-foreign-embassies/#commentsTue, 10 Dec 2013 22:25:10 +0000http://allthingsd.com/?p=377977Remember how, earlier this year, an American security research firm sniffed out a unit of China’s People’s Liberation Army that appeared to be responsible for a series of complicated hacking attacks against numerous American and European companies dating back to the middle of the last decade?

Today there’s news about more Chinese hacking attacks, and this time it’s a campaign against the foreign ministries of several countries. The report comes from the security firm FireEye — the one that went public in the fall — which said it had gained visibility into 23 different servers used to command and coordinate the attacks, which date back to 2010.

“This report demonstrates that attackers are able to successfully penetrate government targets using exploits for vulnerabilities that have already been patched and despite the fact that these ministries have defenses in place,” the report said.

FireEye researchers have dubbed the campaign “Ke3chang” and said that at least one tactic was to use malware-infected email attachments that appeared to be updates on the unfolding humanitarian crisis in Syria. Ahead of the G20 meeting in Russia over the summer and as news headlines focused on the possibility of a U.S.-led military strike on Syria, attackers used interest in the subject to trick employees at foreign ministry agencies of European countries and their embassies around the world into opening malware-infected documents.

An earlier campaign in 2011 used the lure of a password-protected trove of nude photos of Carla Bruni, wife of Nicolas Sarkozy, the former French president.

A third, in 2012, targeted a company described only as being in the “Chemicals/Manufacturing/Mining Sector” with a campaign using false links to information about the London Olympics.

The decoy in a fourth campaign, also launched in 2012, was a hacking threat report purported to come from McAfee, the Intel-owned security software company.

In each case the decoy files or documents were infected with roughly two dozen variants of three different malware programs: One called BS2005, one dubbed BMW and one known as MyWeb.

Researchers then watched what the malware did: It captured information and forwarded it on to a network of 23 servers, then mapped all the IP addresses that resolved to the domains. Then they collected the domain names that resolved to those IP addresses and determined that the network of command and control servers could be as high as 99. Most of those were located in either the U.S., China or Hong Kong.

Since the location of the servers doesn’t necessarily mean that the attackers were from China or even necessarily Chinese, they tried to perform what’s called an “attribution analysis.” Clues within the malware files, including linguistic characteristics, suggest that whoever built the malware used Chinese language characters, FireEye says. Additionally, a control panel used to interact with compromised machines contained a mix of English and Chinese commands. Test runs of the detected malware also suggested that the creators built the programs on Windows machines with the default language set to Chinese.

]]>http://allthingsd.com/20131210/chinese-hackers-used-fake-syrian-news-and-carla-bruni-pics-to-attack-foreign-embassies/feed/0A New Worm Proves That the Internet of Things Is Vulnerable to Attackhttp://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/
http://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/#commentsSat, 30 Nov 2013 17:40:34 +0000http://allthingsd.com/?p=375794One of the basic technologies that enables what we often refer to as the Internet of Things is embedded Linux, a version of Linux that runs on machines that aren’t computers in the traditional sense. A lot of the new “smart” devices joining Wi-Fi networks in the home and office are running some variant of it, as do a lot of those home-Wi-Fi routers themselves.

Researchers at security-software company Symantec say they’ve found a worm that proves that, eventually, these devices may be ripe for attack. It’s called Linux.Darlloz, and it appears to have been built to infect versions of Linux found in home routers, TV set-top boxes and security cameras, and also some industrial-control systems.

Writing for Symantec’s corporate blog, researcher Kaoru Hayashi says the worm targets versions of Linux running on Intel and other x86 chips, but there are already variants that target Linux on other chips, including ARM, PowerPC and MIPS.

If you’ve ever set up a home router, then you’ve encountered these “hidden” operating systems running on these devices. The worm is designed to take advantage of an 18-month-old vulnerability in the OS that presents a Web interface to users for setting it up. These systems will often have basic user names and passwords like “admin” and “12345,” and it tries several known combinations of these, if any are required.

If it encounters a vulnerable target, the worm downloads itself from a host server and then executes. Once it does that, it creates the file directories it’s going to use, and then seeks to cut off remote access to the now-infected machine by killing Telnet and other processes that may be running. Then it deletes a lot of other files.

And then it starts looking for a way to spread itself again. It does this by generating random IP addresses. If one of those addresses on the network turns out to be reachable, it then starts looking for directories that indicate if that original vulnerability is present, and the whole process starts over.

Hayashi says the worm doesn’t seem to do much now beyond propagating itself, and, indeed, attacks against non-PC devices haven’t yet been observed. But it could represent a troubling indicator of things to come, as more smart devices are joining networks every day. There’s only so much that a hacker might learn from infecting, say, your Wi-Fi-enabled scale, but try to imagine what kinds of bad things could result from your home-security camera becoming infected. Or worse, the lock on your front door.

It’s the same sort of fear that was raised when the Stuxnet worm, thought to have been created in a joint operation by the CIA and Israeli intelligence, burrowed its way into industrial-control systems at nuclear-research facilities in Iran. In one famous case, nuclear centrifuges were made to spin too fast and ultimately explode, while systems monitoring their status indicated that everything was normal.

Researchers have long worried that criminals and other troublemakers would study the basic ideas of Stuxnet and adapt the techniques used to wreak havoc on the home front. Though they’re different in many ways, it’s not too much of a stretch to say that the same fundamental principals could be at work here.

In the case of this worm, home users may never know that their devices are infected. And even if they do, Hayashi worries that the original vendors may not offer software updates to patch the vulnerability. Some of them, he writes, are even too old to accept new software in the first place. Be a little worried.

It sounds cliche, but mobile is the single-biggestseculartechnology platform shift of our time. It’s so big, it bears repeating, and for entrepreneurs (and investors like me), presents edge-of-our-seats opportunities waiting to be unlocked. This is no surprise, of course, as every big company and small startup is trying to focus on mobile. With so much competition in the mobile world, entrepreneurs could benefit by knowing a secret, and in this post, I will share one secret I’ve uncovered through my years of being a mobile entrepreneur and working on the “Facebook Home” team at the social network. This secret, I believe, could unlock an ever-lasting, durable, mobile technology company, not just an app someone launches on their phones and forgets about.

I’ll cut to the chase: The secret is that there’s an opportunity for a mobile-focused startup to build the equivalent of Google’s Chrome Browser. While the details of this vision differ slightly on Apple’s iOS platform versus Android (and forks of Android), in this post I will focus on Android because it offers an open platform for developers.

In order to appreciate the secret, we must revisit the past, both personally and professionally. Before joining Facebook, I tried to start companies around browser add-on technology, and before that, I was responsible for Bing’s toolbar when I worked at Microsoft. The Web was a very different place back then. Years ago, Web browsers used “toolbars,” which now sound like a joke, but during that time, were deceptively simple add-ons that actually turned into very profitable businesses. Today, innovation in browser add-ons has largely gone away, and for good reason — browsers built in the most valuable and innovative functionality, while browser platforms and security (especially on mobile browsers) locked down add-on functionality to limit use of browser add-ons to scam unsophisticated users.

Despite their less-than-savory reputation, toolbars show how add-ons and customization can improve the user experience of widely used software while generating sizeable returns for their developers. As toolbars made browsers more functional and interesting for the user, behind the scenes, toolbar developers were getting paid handsomely by Google, Yahoo, Bing and Ask for the search traffic they generated when they changed and “protected” the default search provider. As toolbars devolved from useful add-ons into conduits for malware, viruses and spyware, they were still a real business for their developers, who have reaped billions of dollars in search syndication revenue. To summarize, the evolution of the toolbar space loosely followed this pattern: Original browser experiences ceased to innovate after commoditization; then add-ons innovated the browsing experience (search boxes, form fill, etc.); then the underbelly of the Internet maliciously took advantage of browser add-on hooks; then core add-on functionality was built directly into browsers and add-on hooks were narrowed; and, eventually, the core browser experience innovation via toolbars and browser add-ons ended.

It’s important to revisit this history as it provides an analog for mobile today. In the world of Android, “launchers” — and more broadly, the Android Intents system and overall platform design — behave similarly to browser add-ons in their prime: Hooks to improve the core product experience with very few guardrails. With hundreds of launchers already available and more on the way, there’s no point in releasing a new Android launcher unless we’re ready to learn from the aforementioned toolbar phenomenon. Just like toolbars, Android launchers need to focus on innovating the core phone experience in order to be installed and retained by users. And similar to toolbars, successful launcher developers will be chasing syndication deals as a key source to revenue generation.

This cozy arrangement probably won’t last forever though, because some launcher developers will pee in this pool of opportunity by using Android’s platform hooks for unsavory purposes — the same way some toolbar developers did. Not only can launchers bundle replacement apps for the native phone dialer, camera, browser, calendar, mail, SMS, keyboard and more, launchers can hide competitive apps and drive users to their alternatives, i.e., apps that are paying syndication fees. Viruses, spyware that steals your data, and over-commercialization are the obvious demons, but so is simply degrading the user experience with poorly designed products that are just front doors for revenue-sharing schemes. This will no doubt happen, so users should be cautious about which launchers they download.

The long history lesson is important because the principles may repeat themselves today. Here, if history repeats itself, launcher apps will eventually go extinct the way toolbars have. For a few years, toolbars were a very interesting and lucrative business. Then, browser publishers like Firefox and Microsoft simply incorporated the innovative browser add-on functionality into the browser, rendering add-ons obsolete while also tightening the add-on platforms to keep the bad actors at bay.

So now … back to our secret. I believe there is a massive opportunity for a developer to create the mobile equivalent of Google’s Chrome browser on Android devices. This focused user-centric strategy could easily put a startup in position to control the third mobile platform — something Microsoft, Palm, Amazon and many others have spent billions of dollars to try to achieve without success to date. So developers who want to build a lasting large company should look for ways to rethink the core Android experience to “wow” users, and not worry at all about the easy money that will come from syndication deals and newfound ad real estate. There is unlimited potential to improve every aspect of the phone experience, and it’s amazing that there aren’t more startups trying to do this, because the rewards will be immense. First movers who bet deeply and execute flawlessly have a shot at this opportunity.

Beware, though — there is stiff competition here as well. Super-polished new apps like Cover are re-setting expectations for what is possible on Android while making iOS users jealous. Some companies are already moving beyond the launcher to the next level and replacing the entire Android OS with a customized version, as startups like CyanogenMod and Xiaomi’s MIUI do, because they’ve hit upon the limits of Android’s platform in their quest to build the best product experience. Their next step is to release devices loaded with a customized OS that removes all of the friction of installing on top of an existing OS. Both of these companies are clearly on the way to doing something special, but there is a little voice in the back of my head that wonders if this strategy is analogous to Chrome OS. Of course, that chapter is unwritten, so it will be exciting to watch and see how this all unfolds.

Bubba Murarka is a Managing Director at DFJ. A product manager and entrepreneur by training, Murarka is now a venture capitalist focused on mobile and, most recently, spent five years at Facebook where he started the Facebook Home project and was responsible for Facebook’s Android products. Follow him on Twitter at @bubbam.

]]>http://allthingsd.com/20131105/a-blueprint-for-a-massive-mobile-company/feed/0On Chrome Web Store, Real Games Mix With Mario Knockoffshttp://allthingsd.com/20130906/on-chrome-web-store-real-games-mix-with-mario-knockoffs/
http://allthingsd.com/20130906/on-chrome-web-store-real-games-mix-with-mario-knockoffs/#commentsFri, 06 Sep 2013 20:15:40 +0000http://allthingsd.com/?p=356398We’ve heard it over and over again (and arguably for good reason): Nintendo does not make games for platforms it does not control. So, imagine my surprise yesterday when I stumbled across a dozen or so Mario games on Google’s Chrome Web Store.

These games are no more real than that Rolex you bought for $15 in Times Square — they’re unlicensed, generally low-quality knockoffs, taking advantage of the openness of Google’s browser, which just turned five. Many of the store’s new native desktop apps look like snazzy cousins of the apps you might find in the Google Play Store on Android; however, in Chrome’s Web app store (I know, these product names are all confusing), it’s still the Wild West.

In addition to the fake Marios, a cursory search of the Web app store yesterday turned up knockoffs of many other popular franchises: one for Fruit Ninja, two for Crash Bandicoot, four for Doodle Jump, nine for Candy Crush Saga and 10 for Sonic the Hedgehog. A source with knowledge of the store said Google investigates unauthorized apps if the content owners report the offending apps to the company.

These fakes mix with real apps, like Rovio’s official Angry Birds Chrome Web app, and to separate the good from the bad, users have to check the developer’s website name. For example, one of the Candy Crush Saga knockoffs lists as its website candycrushsaga.blogspot.com, which is not one of King’s sites. The official site for that game is candycrushsaga.com.

I asked a Nintendo spokesperson if the company was aware of the Mario knockoffs, and she returned the following generic statement from Nintendo of America:

Nintendo video games are offered only on Nintendo systems such as the Wii U and Nintendo 3DS. Applications on the Apple or Google marketplaces that purport to be Nintendo video games are not legitimate and users who download these applications may expose themselves to spyware or other malicious software […]

Wait, malicious software? Yes, it’s possible, as 80,000 users learned last year by way of a fake Bad Piggies Chrome app. According to security company Barracuda Networks, that’s the number of users who installed a bogus Bad Piggies and got some “aggressive adware” to boot. Bonus!

The Nintendo statement continued, “Nintendo actively monitors the unauthorized use of its intellectual property, and will continue to seek removal of any unauthorized content in these marketplaces.”

Taking these specific games out of the Chrome store won’t completely neutralize potential security threats posed by current or future games, of course. But the very thing that makes the store work — a search, discovery and recommendation-focused design that makes these games and services more accessible to Chrome users — may mislead gamers who don’t think to look too closely.

“We remove apps from the Chrome Web Store that do not comply with our terms of service,” a Google spokesperson said. Some of the Mario games I mentioned in my emails to the company have now disappeared from the Chrome store, but here is a screenshot of how they were showing up for me in the store’s main trending section yesterday.

]]>http://allthingsd.com/20130906/on-chrome-web-store-real-games-mix-with-mario-knockoffs/feed/0Four Out of Five Malware Menaces Choose Androidhttp://allthingsd.com/20130827/four-out-of-five-malware-menaces-choose-android/
http://allthingsd.com/20130827/four-out-of-five-malware-menaces-choose-android/#commentsTue, 27 Aug 2013 21:34:53 +0000http://allthingsd.com/?p=353994Android is the world’s most widely used smartphone operating system. It’s also the one most often targeted by malware ne’er-do-wells.

According to a survey conducted by the U.S. Department of Homeland Security and the FBI and uncovered by Public Intelligence, the majority of malware targeting mobile operating systems in 2012 was intended for Android. Indeed, Android was targeted by an astonishing 79 percent of all smartphone malware that year — far, far more than any other OS. The agencies found that iOS was targeted by 0.7 percent of malware attacks, Windows Phone and BlackBerry by 0.3 percent and Symbian by 19 percent.

In a memo citing the research circulated nationwide to law enforcement, security and emergency personnel, the DHS and FBI note that a significant number of Android users continue to run older versions of the OS that leave them open to a number of security vulnerabilities — something companies with rival operating systems love to point out.

Such was the case for Facebook, which on Thursday explained a recent outage in a number of third-party apps on the Facebook Platform.

The gist of it: On Tuesday, a number of developers whose apps are connected to Facebook Platform were disabled with no immediate explanation. For a period of time, the devs were left in the dark, and took to online forum Hacker News to complain about the outage. After a period of time, the apps were up and running again.

Two days later, Facebook cleared up the problem. As Facebook employee Eugene Zarakhovsky explained this morning, Facebook’s security team recognized a pattern in a series of malicious apps, and the company’s automated systems disabled the apps in question. “This normally results in thousands of malicious apps being disabled and improves our automated systems’ ability to detect similar attacks in the future,” Zarakhovsky wrote.

Unfortunately for some developers, some legit apps were caught in the crossfire.

On August 13th, we undertook such a procedure. We started with a broad pattern that correctly matched many thousands of malicious apps but, unfortunately, also matched many of your high quality apps. When we detected this error, we immediately stopped the process and began work to restore access. The process took longer than expected because of the number of apps affected and bugs related to the restoration of app metadata.

Still, Facebook wants to make good on its screw-up, and promises to work on “better tools” so a problem like this won’t happen again.

“Our team is invested in learning from these incidents and making sure Facebook Platform stability continues to improve,” Zarakhovsky wrote.

]]>http://allthingsd.com/20130815/oops-facebook-explains-recent-third-party-app-outage/feed/0How a Routine Malware Outbreak Cost One Government Agency Millionshttp://allthingsd.com/20130709/how-a-routine-malware-outbreak-cost-one-government-agency-millions/
http://allthingsd.com/20130709/how-a-routine-malware-outbreak-cost-one-government-agency-millions/#commentsTue, 09 Jul 2013 21:17:46 +0000http://allthingsd.com/?p=340308Some days you just have to stop and pay some attention to gross incompetence when you see it. That was my reaction to a story first reported on The Verge that is fascinating in the way that watching a train wreck can be fascinating.

The report below by the U.S. Department of Commerce’s Office of Inspector General details the case of a malware outbreak on computers belonging to the Economic Development Administration in late 2011. In what could only politely be described as a, er, cluster-frig, when only two piece of the agency’s IT infrastructure were infected, it thought that 146 had been.

You won’t believe what ultimately happened. Over the course of five weeks, miscommunication between the Commerce Department’s Computer Incident Response Center and the EDA led its CIO to ultimately order the physical destruction of $170,000 worth of IT components, including PCs, printers, TV sets (what?), digital cameras and mice. On top of that, it paid a security contractor more than $823,000, spent more than $1 million on temporary infrastructure and shelled out $688,000 for contractors to help with a “long term recovery solution.” All told, the agency spent about $2.7 million, or more than half its annual IT budget, fighting a virus that should have taken at most an afternoon to correct. At one point the agency was borrowing surplus computers from the Census Bureau so that employees could get their work done.

The report cites one key factor: Staff members at DOC CIRT were “inexperienced” and suffered from “inadequate knowledge,” and lacked the ability to respond properly to a malware outbreak, which hindered the application of an appropriate response. The person who handled the call from the EDA “had minimal incident response experience, no incident response training, and did not have adequate skills to provide incident response services.”

It sounded so bad I couldn’t believe it until I read the report myself. All 33 pages documenting American tax dollars at work in agonizing, bureaucratic detail are below, though one critical detail is missing: I want to know, was anyone fired?

]]>http://allthingsd.com/20130709/how-a-routine-malware-outbreak-cost-one-government-agency-millions/feed/0Juniper Study Finds Mobile Malware Grew 600 Percent, Targets Android Mosthttp://allthingsd.com/20130626/juniper-study-finds-mobile-malware-grew-600-percent-targets-android-most/
http://allthingsd.com/20130626/juniper-study-finds-mobile-malware-grew-600-percent-targets-android-most/#commentsWed, 26 Jun 2013 14:46:09 +0000http://allthingsd.com/?p=336781Careful what you install on your smartphone. The number of malware programs masquerading as legitimate mobile apps grew by more than 600 percent in 2012, according to a new survey by the networking company Juniper.

Juniper’s third annual report on the state of mobile security is out today. It says the firm detected a total of 276,259 mobile malware apps, up from 28,500 in 2011 and only 11,000 in 2010.

The mobile platform with the biggest target on its back is Google’s Android. Juniper says that malware aimed at phones running that operating system account for 92 percent of all mobile malware it has encountered.

The report goes on to explain that mobile malware for Apple’s iOS, the next-most-popular platform in terms of market penetration, is “noticeably absent” from its malware sample database. “Theoretical exploits for iOS have been demonstrated, as well as methods for sneaking malicious applications onto the iOS App Store,” the report says, but criminals have tended to favor Android as their target, because there is less oversight on the process of releasing applications into the wild.

About 73 percent of mobile malware was either FakeInstallers or SMS Trojans, which exploit holes in mobile payment systems to turn a quick profit. And they get around. Juniper says it found more than 500 third-party Android app stores operating around the world — and few catering to jailbroken iOS devices — distributing instances of malware.

Another issue facing Android users is the multiple variants of the OS in circulation. Juniper cites Google as saying that as of June 3 only four percent of Android users were running the most recent version of the OS which cleans up vulnerabilities that are exploited by about 77 percent of Android malware.

It’s also just the latest in a series of industry reports tracking the rising concern of mobile security. Earlier this month, the security software firm Check Point reported the findings of a survey suggesting that most businesses experienced some kind of mobile security incident in the past year.

That’s not hard to imagine, especially in light of some of the newer tactics being employed by malware creators. In April, Lookout noticed that some malware it dubbed BadNews behaves in a perfectly benign manner at first, only serving up ads, but later pivots to using its access to the phone to install more malignant malware.

In the guidance, officials asked companies to develop security controls that would protect the confidentiality and integrity of data and limit malfunctions in the event of computer viruses, which they said could lead to patient harm.

]]>http://allthingsd.com/20130613/medical-device-makers-urged-to-bolster-cyber-security/feed/0A Contrarian Futuristhttp://allthingsd.com/20130528/a-contrarian-futurist/
http://allthingsd.com/20130528/a-contrarian-futurist/#commentsTue, 28 May 2013 18:27:59 +0000http://allthingsd.com/?p=325531The Churchill Club recently asked a handful of VCs to share a couple of non-obvious technologies that we expect to disrupt markets over the next five years. Here are my two predictions.

EyePhones Will Replace iPhones

Remember MS-DOS commands, and the WordStar keystroke combinations we had to memorize? Then the first Macintosh featured a mouse-driven GUI that was game-changing because it removed a layer of friction for both the data going in and coming out. When we tried that first model, we knew we could never go back to a C prompt.

And yet the impact of graphical computing was minor compared to how facial computing will change our lives, and how we all relate to The Collective. Think of it as a man-in-the-middle attack on our senses, intercepting all the signals we see and hear, and enhancing them before they reach our brains.

This is not science fiction, and based on prototypes I’ve seen, it’s a good bet that design teams in Google, Apple, Samsung and various military contractors are building eyewear computers that will render smartphones as obsolete as the first generation of mobile computer. I’m not talking about Google Glass, with its cute little screen in the corner. I mean an immersive experience that processes what we see, and then overlays graphical objects onto our field of view for true Terminator vision. The U.S. military has this capability today, so that troops can see pointers to their platoon members and markers of known IED locations. So now it’s just a question of making the hardware small, cheap and available in four adorable colors.

Not only will our favorite apps on eyewear computers be more immediate and engaging, but we’ll experience new computing capabilities so compelling that we’ll find them indispensible. For example, eyewear computers can record our lives and enable us to summon any relevant conversation or incident from our past. With eyewear computers, we can truly share experiences in real time, transporting ourselves to the perspective of someone on a ski slope, or in a night club, Wimbledon match or the International Space Station.

Just as Terminator did in the movie, we will air-click on actual things we see to interact with, investigate or purchase. We’ll integrate facial recognition and CRM for background data on everyone we meet. When we travel abroad, signs will appear to us in English, and when someone is speaking to us, we can simply turn on English subtitles.

A new generation of games will be more immersive and engaging than ever before.

Five years from today, when smartphone sales are in decline, we will ask ourselves: Remember when we used to spend our days looking down at those little screens?

Cyber Warfare Becomes Okay

Ever since Hollywood gave us “War Games,” the fear of cyber apocalypse has gripped America. We’ve outlawed hacking to such an extent that if you’re shut down by a cyber attack, or your data has been stolen, it’s a federal crime to even probe the attacking computers, let alone disable them. Rather than educate and activate our best and brightest hackers, we prosecute and imprison them.

Businesses haven’t complained, because they’ve never wanted to fight back. You can’t prosecute the attackers even if you find them, and admitting a breach may spook customers and even invite more attacks. So, instead of fighting, we’ve just quietly taken the punches, and wished it all away. But wishing it away is like trying to reduce teen pregnancy by preaching abstinence.

Two years ago I watched a TED audience cheer Ralph Langner for exposing the Stuxnet worm which our government developed to retard Iran’s nuclear weapons program. It was as though the U.S. and Israel invented malware. Somehow, it was evil for us to use cyberspace to stop the most vitriolic, warmongering fundamentalist on our planet from making nuclear bombs. Because cyber is “unconventional,” we somehow consider it to be just as taboo to use as nuclear and chemical weapons.

Meanwhile, the New York Times reported this morning that “Hackers Find China is a Land of Opportunity.” Not only has China allegedly hacked Google and Evernote to spy on its citizens, but it has funded massive efforts to steal information valuable to economies and national security. Attacks on our banks, utilities and defense contractors can be traced back to units in the Chinese military. We even know what building they’re in.

As cyber war rages on around us, I predict that Americans will come to appreciate that cyber operations can achieve our military and intelligence objectives far better than bullets and bombs. Cyber weapons are faster, more effective, safer, and orders of magnitude cheaper than kinetic weapons. Stuxnet penetrated where missiles cannot.

Indeed, the stigma associated with offensive cyber activity is breaking down, now that cyber attacks have exploded in frequency and scale. The banks are now asking the Feds to join the fight, so DHS, FBI and NSA are trying to figure out how to collaborate, without going to jail themselves for hacking or disclosing classified data.
This sea change presents great opportunities for startups to build a new ecosystem of cyber capabilities that defend our nation and support our military and intelligence objectives. We’ve got the best security experts in the world. New startups are enabling the exchange of threat data, using honeypots to collect counter intelligence on foreign hackers, and deploying Hadoop clusters to track botnets. They even develop exploits around newly discovered vulnerabilities to deliver offensive payloads.

Over the next five years, our nation will embrace the capabilities of American hackers to fight back in cyberspace, securing our economy and our lives. Our Defense Department will need fewer bombers, missiles and destroyers, leading to a Cyber Dividend that will fund health care, education and debt reduction.

]]>http://allthingsd.com/20130528/a-contrarian-futurist/feed/0Did Stuxnet Actually Improve Iran's Nuclear Capabilities?http://allthingsd.com/20130515/did-stuxnet-actually-improve-irans-nuclear-capabilities/
http://allthingsd.com/20130515/did-stuxnet-actually-improve-irans-nuclear-capabilities/#commentsWed, 15 May 2013 18:36:25 +0000http://allthingsd.com/?p=322013Friedrich Nietzsche is credited with the old saying: “That which does not kill us makes us stronger.” Today there’s an interesting report concerning Stuxnet and the Iranian nuclear research program that is proving it.

The U.K.’s Telegraph has a story today on a report in a British academic journal, arguing that the Stuxnet malware used to attack and sabotage Iranian nuclear enrichment sites in 2010 may have had the net effect of helping Iran get better at enriching uranium.

Stuxnet, you’ll recall, is the most famous of a series of cyber weapons said to have been used by the U.S. and Israel in a series of joint operations meant to sabotage and delay the ability of Iranian nuclear scientists to enrich uranium and eventually build a nuclear bomb.

Never officially acknowledged by either the U.S. or Israel, the Stuxnet source code was taken apart by computer-security researchers who determined that only a motivated government could have the resources to build it. And the only motivated governments in the world with sufficient know-how are the U.S. and Israel, their argument went. The New York Times finally all but proved them right.

Using data gathered from the International Atomic Energy Agency, King’s College researcher Ivanka Barzashka concluded that the Stuxnet attacks exposed weaknesses in Iranian systems that would otherwise have gone undetected, and which have since been patched. Since then, she said, Iran has regrouped and actually boosted its capacity to enrich uranium.

The story goes that the Stuxnet worm was introduced in 2009 via a series of USB drives dropped by intelligence operatives near a targeted facility at Natanz. The worm penetrated computers running pretty much any variant of Microsoft’s Windows, looking for a specific set of machines hooked up to a series of Siemens programmable logic controllers — computers that sit between desktop PCs and industrial equipment like, say, nuclear centrifuges.

What it did was show operators a screen depicting centrifuges running normally, while at the same time issuing commands to those centrifuges to spin too fast. Ultimately, several of them exploded. The estimate at the time was that Iran’s nuclear efforts had been set back by two years. It has now been four years since that attack was alleged to have taken place. If Barzashka’s findings are confirmed — and that’s admittedly not going to be easy — it would raise some serious questions about whether or not the Stuxnet attacks were such a good idea in the first place.

You recently mentioned the HTC One as being priced at $200. I’ve just been on the phone with my carrier T-Mobile, which offers me the HTC One for $100 down and $20 a month for 24 months. They explain they “no longer offer discounted phones” under their new world order or whatever. Can you explain?

A:

In the U.S., carriers traditionally subsidize the price of mobile phones and then make back the money by requiring buyers to sign a two-year contract, so they don’t defect before the carrier has made back the subsidy from them. Under this formula, the HTC One is indeed $200 at AT&T.

But T-Mobile recently announced a new approach under which it won’t subsidize the phones, but will charge something close to what the phone maker charges it, spread out in monthly payments. In return, it won’t require a two-year service contract. In the case of the HTC One and some other high-end smartphones, like the iPhone 5, that amounts to $100 down at purchase, plus $480 over two years — $20 a month. The actual voice and data service is in addition to the cost of the phone.

Q:

I have always been a Windows user, and always used security software. I just purchased a new iMac and the folks at the Apple store have told me that security software is not needed on Apple computers. What is your opinion?

A:

The Mac isn’t invulnerable to security problems. It’s just not targeted nearly as often as Windows PCs are. Relatively few Mac owners use security software because almost none of the vast array of malware programs around is designed for the Mac. Nearly every one is designed to run on Windows, and they can’t run on the Mac operating system, unless you install Windows on the Mac.

My advice: If security software makes you more comfortable, use it. Otherwise, unless you install Windows, the odds that your Mac could be successfully attacked are low enough that security software isn’t needed. However, you are still vulnerable to scams which rely on greed, carelessness or fear to get you to open suspicious links in email. Never do this, especially if the email purports to be from a financial institution or credit-rating service.

]]>http://allthingsd.com/20130430/the-411-on-phone-discounts/feed/0BadNews Shows a New Direction for Mobile Malwarehttp://allthingsd.com/20130420/badnews-shows-a-new-direction-for-mobile-malware/
http://allthingsd.com/20130420/badnews-shows-a-new-direction-for-mobile-malware/#commentsSat, 20 Apr 2013 23:00:33 +0000http://allthingsd.com/?p=314110And while we’re on the subject of hacking and malware, if you’re the user of Android phone — and if you happen to speak or send messages in Russian — you might want to have a closer look at some of the applications you’ve been running.

Lookout Mobile Security said yesterday that it has detected a significant outbreak of malware lurking inside 32 different apps that it says have been downloaded a combined two million to nine million times. (It’s unclear why that range is so large.)

Google was notified and the company removed the affected apps and killed the developer accounts associated with them. And Lookout’s product, the company says, gives its customers protection against it.

It’s called BadNews, and Lookout says it masquerades as “an innocent, if somewhat aggressive advertising network.” The network would initially serve up only ads, but later on, after having passed security scrutiny, it would start pushing malware to affected devices. Among other things, the servers controlling the apps were caught pushing AlphaSMS, a well-known app that creates fraudulent text messages.

One key takeaway is that apps need to be vetted and re-vetted more than once. “Enterprise security managers must assume that even very well-designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet,” Lookout says. The delay in the bad behavior allowed it to be distributed pretty widely before the problems were detected.

About half of the naughty apps are in Russian, and AlphaSMS is intended to commit SMS fraud in Russia and neighboring countries, including Ukraine, Belarus, Armenia and Kazakhstan, Lookout says.

The folks at Lookout do happen to know a thing or two about hacking phones. In fact, its CEO, John Hering, appeared onstage at D: Dive Into Mobile earlier this week to show AllThingsD’s Liz Gannes just how easy it can be to hack a phone. It certainly doesn’t seem to be getting any harder.

]]>http://allthingsd.com/20130420/badnews-shows-a-new-direction-for-mobile-malware/feed/0Several CBS News Twitter Accounts Hackedhttp://allthingsd.com/20130420/several-cbs-news-twitter-accounts-hacked/
http://allthingsd.com/20130420/several-cbs-news-twitter-accounts-hacked/#commentsSat, 20 Apr 2013 20:20:55 +0000http://allthingsd.com/?p=314097Careful what you click on via Twitter for the next few hours, especially if the link comes with a provocative headline and is from an affiliate of CBS or one of its network news programs.

CBS News confirmed via its primary Twitter account that various accounts operated by its high-profile news magazine shows “60 Minutes” and “48 Hours” have been compromised. The links are said to be serving up malware, so, again, don’t click on them.

Also confirmed to have been hacked is @CBSDenver, the Twitter account associated with the news division of the local affiliate in Denver, Colo.

We have experienced problems on Twitter accounts of #60Minutes & @48Hours; We apologize for the inconvenience; Twitter is resolving issues

Since the offending tweets will probably disappear within the hour, here are some screen grabs. (Update: They already vanished.)

]]>http://allthingsd.com/20130420/several-cbs-news-twitter-accounts-hacked/feed/0Lookout Shows Just How Easy It Is to Hack a Phone -- And How You Can Prevent It (Video)http://allthingsd.com/20130416/lookout-shows-just-how-easy-it-is-to-hack-a-phone-and-how-you-can-prevent-it/
http://allthingsd.com/20130416/lookout-shows-just-how-easy-it-is-to-hack-a-phone-and-how-you-can-prevent-it/#commentsTue, 16 Apr 2013 20:02:11 +0000http://allthingsd.com/?p=312516If you think that only computers can be infected with malicious software, think again.

Today at the D: Dive Into Mobile conference in New York, mobile security provider Lookout demonstrated just how easy it is to hack into a phone, and offered up some tips on ways to protect yourself.

Lookout founder and CEO John Hering joined AllThingsD’s Liz Gannes onstage, where he showed examples of common phone hacks, using two phones — one acting as the hacker and another that was the target of the attacks.

One instance was a phish-y email from a seemingly real account. An email from AllThingsD boss Walt Mossberg appeared in Hering’s phone inbox — only it wasn’t really from Walt.

“We’re starting to see a fundamental shift in the attacks on mobile devices in a post-PC era,” Hering said. “One of the most common vectors we’re seeing is targeted attacks, especially with how easy it is to spoof emails.”

He also showed how a phone user who downloads a game app directly from an email, rather than from a legitimate app store, is vulnerable to malware. The “hacker” phone was able to see text messages sent to the user phone, after that user downloaded malicious content.

The tactics hackers use on smartphones are not all that different from what they do on computers. You might open up your Gmail to find what looks like a legitimate email from a friend or colleague asking you to download an app — say, a free copy of Angry Birds. But it’s actually spyware, and once it’s installed on your phone, the hacker can access private information, reset passwords to lock you out of your accounts, and more.

Lookout said these types of social engineering tactics are really effective, and can fool even smart people. It’s a scary thought, but Lookout says there are some practical things you can do to protect yourself and your device:

Be wary of links from people asking you to download or install something.

Only download apps from trusted sources, like the Google Play Store.

Look at the permissions before downloading any app, and make sure they match the functionality of the app.

Of course, the company also recommends using a mobile security app like Lookout, which can help monitor and alert you to potential threats. NQ Mobile, Avast, Kaspersky and many others offer similar solutions.

Lauren Goode contributed to this report.

]]>http://allthingsd.com/20130416/lookout-shows-just-how-easy-it-is-to-hack-a-phone-and-how-you-can-prevent-it/feed/0Facebook Blocks NBC Website After Hacking Scarehttp://allthingsd.com/20130221/facebook-blocks-nbc-website-after-hacking-scare/
http://allthingsd.com/20130221/facebook-blocks-nbc-website-after-hacking-scare/#commentsThu, 21 Feb 2013 22:12:36 +0000http://allthingsd.com/?p=297198On Thursday, Facebook users were not able to access links to NBC.com through the Facebook website, after reports surfaced that NBC.com had been hacked and was spreading malicious software to visitors.

“We will take action on Facebook when we observe malicious behavior on domains and sub-domains that are being shared; however, we don’t comment on specific sites,” a Facebook spokesperson told AllThingsD.

The news comes on the heels of a string of highly publicized hacking attacks on popular websites and companies, including Facebook, Apple and Twitter. All three of the aforementioned sites suffered instances of malware attacks.

NBC did not immediately respond to a request for comment.

]]>http://allthingsd.com/20130221/facebook-blocks-nbc-website-after-hacking-scare/feed/2Iran Raised Its Cyberwar Game After Stuxnet, U.S. General Sayshttp://allthingsd.com/20130118/iran-raised-its-cyberwar-game-after-stuxnet-us-general-says/
http://allthingsd.com/20130118/iran-raised-its-cyberwar-game-after-stuxnet-us-general-says/#commentsFri, 18 Jan 2013 13:55:59 +0000http://allthingsd.com/?p=286839After the Stuxnet malware attacks that are thought to have caused several Iranian nuclear centrifuges to explode, Iran has been steadily boosting its ability to carry out attacks against computer networks, and is growing into “a force to be reckoned with.”

That was the warning given by Gen. William Shelton (pictured in a file photo), head of the U.S. Air Force’s Space Command, which is also in charge of the Air Force’s cyberwar group, in a speech in Washington, D.C., yesterday, which was covered by Reuters.

Shelton’s warning comes nine days after security experts familiar with the opinion of U.S. government officials told the New York Times that Iran is behind a series of denial-of-service attacks in late 2012 meant to disrupt the normal flow of financial business. Banks affected included Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, J.P. Morgan Chase and PNC.

The attacks were largely seen as a retaliation not only for Stuxnet, but for other malware-based campaigns that are thought to have been targeted against Iran: Flame, which turned computers into sophisticated spying tools, using their built-in video cameras and microphones; and Gauss, which sought to intercept bank account information.

Shelton didn’t speak directly to whether or not Iran has attacked U.S. government networks, but said that its efforts are ongoing.

Shelton referred to the Stuxnet attack in 2010 as the “Natanz situation.” In that instance of sophisticated digital sabotage, as reported by the New York Times, malware targeting Windows burrowed its way into industrial control computers called Programmable Logic Controllers, targeting a specific setup in a specific configuration. The malware then seized control of those systems and cause some centrifuges to spin out of control and ultimately explode, while computer monitors displaying the condition of those centrifuges showed them to be normal. At the time, the damage was thought to have set the Iranian nuclear research program back by about two years.

Shelton says it had another effect: An increase in Iranian resolve to strike its enemies in the cyber realm. “The Iranian situation is difficult to talk about,” Reuters quotes Shelton as saying. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

That’s the gist of the U.S. Department of Homeland Security’s latest vulnerability advisory on Java, which has been in the headlines for the past week because of yet another critical vulnerability that could be exploited to install and execute malicious code on unguarded systems.

CERT’s recommendation, while blunt, echoes that of security researchers who have long said the best solution for the perennially vulnerable Java is to dump it entirely. As Twitter engineer and security expert Charlie Miller told Reuters, “It’s not like Java got insecure all of a sudden. It’s been insecure for years.”

Moscow-based Kaspersky Lab said Monday that it had uncovered a sustained series of targeted attacks stretching back to at least 2007 after receiving a tipoff from an anonymous source. The attacks were made using a piece of malware christened Operation Red October, or Rocra, that was designed to make copies of encrypted files, as well as more regular office documents.

]]>http://allthingsd.com/20130114/campaign-of-cyber-attacks-is-uncovered/feed/0Oracle Patches Java Vulnerabilityhttp://allthingsd.com/20130114/oracle-patches-java-vulnerability/
http://allthingsd.com/20130114/oracle-patches-java-vulnerability/#commentsMon, 14 Jan 2013 08:01:55 +0000http://allthingsd.com/?p=284995Oracle says it has repaired a security flaw in its Java software that inspired a rare call from the Department of Homeland Security, advising consumers to disable the software entirely.

On Sunday afternoon, Oracle released a patch for the critical vulnerability, which could be exploited to install and execute malicious code on unguarded systems. And not a moment too soon. By the end of last week, security researchers had already spotted malware designed to exploit it in the wild. Some theorized the flaw potentially put more than 850 million PCs at risk.

In a bulletin, Oracle said that the patch not only repairs the vulnerability, but switches Java’s security setting to “high” by default. “The default security level for Java applets and web start applications has been increased from ‘medium’ to ‘high,'” Oracle said in an advisory today. “… With the ‘high’ setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

A thoughtful additional precaution — though one you’d think it would have occurred to Oracle to add earlier on. But are these measures sufficient to protect consumers who use Java? Java security expert Adam Gowdiak isn’t so sure. “We don’t dare to tell users that it’s safe to enable Java again,” Gowdiak told Reuters. H.D. Moore, chief security officer at the security firm Rapid7, took an even dimmer view of the patch and the software itself. “Users should simply disable it,” he told Forbes. “The amount of utility it offers is so much smaller than the risk it creates for users. It’s much safer to leave it off.”

]]>http://allthingsd.com/20130114/oracle-patches-java-vulnerability/feed/0Lookout Launches Mobile Security App for Kindle Fire HDhttp://allthingsd.com/20130102/lookout-launches-mobile-security-app-for-kindle-fire-hd/
http://allthingsd.com/20130102/lookout-launches-mobile-security-app-for-kindle-fire-hd/#commentsWed, 02 Jan 2013 21:56:56 +0000http://allthingsd.com/?p=281867Today, Lookout released a version of its mobile security app for the Amazon Kindle Fire HD. Like the smartphone version, Lookout for Kindle can help detect and remove any malware or viruses hidden in apps or email attachments. It can also backup contacts to Lookout’s Web site, as well as help locate your device if it’s lost or stolen. Lookout for Kindle is available now for free from the Amazon App Store or Kindle Fire App Store.
]]>http://allthingsd.com/20130102/lookout-launches-mobile-security-app-for-kindle-fire-hd/feed/0Beware of Malware: Mobile Security Apps to Safeguard Your Phonehttp://allthingsd.com/20121220/beware-of-malware-mobile-security-apps-to-safeguard-your-phone/
http://allthingsd.com/20121220/beware-of-malware-mobile-security-apps-to-safeguard-your-phone/#commentsThu, 20 Dec 2012 14:00:38 +0000http://allthingsd.com/?p=279291If you think that only computers can get viruses, think again.

According to a report by research group Juniper Networks, hackers are increasingly targeting smartphones and other mobile devices with malicious software (also known as malware) to gain access to personal information. The threat is still small in comparison to computers, but that doesn’t mean you shouldn’t take precautions to protect your smartphone.

This week, I took a look at two mobile security apps that can help monitor and alert you to any potential threats. They are Lookout Mobile Security and Avast Free Mobile Security. Both are free (Lookout also has a paid version with extra features), and both scan your phone for malware, backup contact information and more.

I’ll go into more detail about each app later in this column — don’t worry, your smartphone won’t be riddled with annoying pop-up ads — but first, a little more explanation on malware, what it does, and how it gets on your phone.

Malware is software that can wreak havoc on your mobile phone, often without your knowledge. Depending on the type of malware, it can access private information, such as passwords, which can lead to identity theft; it can also track your location, make unauthorized charges to your cellphone bill, and more.

As with computers, problems can arise when you download apps or files from unknown sources, click on suspicious links, or browse unsafe Web sites. Most people are wise enough to avoid such traps, but hackers are sneaky in the ways they disguise malware.

For example, it may look like you’re downloading a legitimate free copy of Angry Birds or clicking on a link to the Google Play Store, but they could be fakes. Once you open a malicious app or visit an unsafe Web site, the malware can install itself on your phone and start doing harm.

Apple and Google both have procedures in place to help keep malicious apps out of their respective marketplaces. Apple has a very rigorous review and app-approval process. As a result, the iPhone is less susceptible to malware attacks, though not completely immune to them.

Google’s Android operating system is less curated than Apple’s. On the one hand, this allows developers to release and update their apps faster. But it also opens the door to more counterfeits and attacks.

Lookout Mobile Security

Lookout Mobile Security is a free app for both iOS and Android devices. Its basic features include scanning your phone for malware and viruses, backup and restoration of contacts, and remotely locating your phone.

There is also a premium Android version, which I found to be the most useful. It includes a privacy report for all apps, and the ability to remotely lock and wipe your phone’s data in case it’s stolen, among other things. The company offers a 14-day trial of the premium app; afterward, it costs $3 per month or $30 a year.

I tested Lookout on the Motorola Droid Maxx HD and, upon launching the app, it immediately scanned the smartphone for any potential threats. It also ran tests every time I downloaded an app from the Google Play Store or from GetJar, an independent Android marketplace that I use.

I downloaded a fake virus called Eicar from the Google Play Store (the app does not harm your device, and is used for testing mobile security apps). As soon as it started downloading, Lookout alerted me that it was a virus, and that it should be removed. There are options to find out more information, as well as an uninstall button.

Lookout’s privacy report feature was extra helpful. It showed which apps were accessing which information — location, contacts and messages, for example. I always skip over the terms of agreement and permissions while downloading an app, but this feature gave me an easy way to see what each app was doing.

I also like that I could back up my contacts to Lookout’s Web site. One other cool feature of Lookout is Signal Flare. The tool automatically records your phone’s location when your handset’s battery is low. Lookout said it created the feature after learning that about 30 percent of people were unable to locate their lost or stolen phone because their battery was dead.

I tried it out on my iPhone 4, and after it went completely dead, I logged onto Lookout’s Web site and found its last location pinned on Google Maps under the Missing Devices tab.

Avast Free Mobile Security

Avast Mobile Security offers many of the same features of Lookout — all for free. But it only works with Android devices.

I thought this mobile app’s interface was cleaner and easier to navigate than Lookout’s. I scheduled it to run a scan on my apps and SD card every day at midnight. It ran the tests with no problem. I also used the Eicar test on Avast. It displayed a message right away, saying, “Eicar Anti Virus Test has been reported as malware,” and it gave me the option to get more information or to uninstall.

Avast lacks a backup feature like Lookout’s, which was disappointing. But the company says it plans to offer this function early next year.

That said, Avast offers a plethora of tools to keep your data safe if your phone is stolen or lost. You can remotely lock it, trigger a siren or wipe data. You can even send a message to display on your screen, such as “If found, please contact this number,” or “Get away from my phone, you thief!” All worked well in my tests.

Some of Avast’s features will be overkill for the average consumer. For example, there’s a Firewall mode for users who have modified their phone, so hackers can’t access their device.

Without mobile security apps, you can protect your device by doing things like only downloading from trusted sources, reading app reviews, and not viewing or sending private details over public Wi-Fi networks. But the number of malware attacks is on the rise, and if you want to go a step further, Avast or Lookout can be a great help.